The bot reports to the server about the running applications, i.e. The Facebook like button points to the account "AnonymousBr4zil": The ffmpeg application is downloaded from the URL (pointed by the CnC):įollowing the address we can see some dummy page, that may possibly be owned by the attackers. Malicious plugins are identified by "djamelplugin".ĭownloading a plugin - remotedesktop.dll ( e907ebeda7d6fd7f0017a6fb048c4d23): The non-malicious helper binaries cab be identified by the keyword: "djamelreference". The content of each file is prepended by its name. list of the targeted banks.īot saves the configuration in the registry:Īfter that, the CnC sends a set of Base64 encoded PE files. After the beaconing, the server sends to the client the configuration, i.e.
The server sends to the client a command "idjamel" and the client responds with the basic info collected about the victim machine, such as machinename/username, the operating system installed, and a list of running processes. The malware communicates with the CnC server over TCP using port 98. ProcessExplorer and baretail from the attacked machine. The malware has been observed closing and deleting some applications while it is running. File content is not encrypted and if we look inside we can notice that it is saving keystrokes and logging the running applications:Īnother interesting thing we noted is, that the malware downloads legitimate applications: Rar.exe, ffmpeg.exe and related DLLs: DShowNet.dll, tmp files inside it's installation folder. Additional copy of the malware is also dropped in the startup folder:ĭuring it's run, the executable creates. Persistence is achieved with the help of run key. The executable installs itself under the random name, creating its own folder in %APPDATA%. The JS file drops the contained executable inside the %TEMP% folder and then runs it. The mentioned malware family was first discovered in 2015 by MalwarHunterTeam. In this post, we will have a look at this and the other threats possessed by this sample. This malware goes a step further and records full videos, spying on user activities. Most of the malware is sufficient with sending screenshots, made periodically on the infected machine. Using this application, this simple spyware written in.
This time, we analyzed a malware downloading a legitimate ffmpeg. There is a growing trend among malware authors to incorporate legitimate applications in their malicious package.
0 kommentar(er)
